PIN makes Windows LESS, FAR, FAR, LESS secure

In order to use a fingerprint reader one is REQUIRED to allow access through a ridiculously simple (to have any hope of remembering it) PIN authentication process. Which is the least secure credentials I've ever heard of short of nothing at all. All one has to do is guess a few digits and they can bypass a nice long complicated secure pass phrase AND the fingerprint reader. Seriously? HELLO?  

If one were to try to set up a PIN that was as secure as a password, it would be necessary to use far more characters. Each digit has 10 options, Each letter 26 (for English anyway), if one ignores special characters which any meaningful pass phrase should include because doing so makes the pass phrase even harder to guess. But, let's assume letters only for the sake of argument. A PIN would have to be at least two and a half times as long as a similarly secure password. The point being clear, I hope. NOBODY is going to create a meaningful PIN. It's going to be 1234 or something else that even an adult could guess.

My fingerprint reader worked great under Windows 8.1. No problems at all. I had that and a nice complicated pass phrase to ensure secure log in. Adequate enough. Now that I've installed Windows 10 I have to go back to the inconvenience of using the password or I have to allow the use of a nearly totally insecure PIN. 

If the goal is to make Windows 10 more secure, why in the world would one be required to create a trivial way to bypass any reasonable form of security that already exists?

Someone needs to reconsider their notion of authentication security. This is so obviously lame that I can't believe anyone with any kind of expertise in authentication security was ever consulted about this "feature."

aside:

By the way once a PIN is set up and one has essentially removed any significant security from the system, it's a challenge to figure out how to get rid of it. There is no remove button. The only option offered is to change it. The trick to get rid of the PIN  is to reset it, not enter anything into the new PIN fields and cancel the process. At least that seems to have worked for me. Though, the darn PIN might still be hiding in there somewhere ready to come back and bite me. For what it's worth, I suggest avoiding my mistake and NOT setting up the PIN in the first place.

 

Discussion Info


Last updated October 18, 2018 Views 5,051 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Thanks for the steps to remove a PIN. I accidentally set one, thinking that I could be able to use my fingerprint for login (like I've been doing for years now). Once I found out how Windows 10 actually doesn't work with biometrics, I was in a bit of a panic. There's no way I'm going to remember a string of numbers sufficiently long enough to be secure; I already have tons of passwords to remember.

I can't use fingerprints anymore with Windows 10 (even though they all remain registered with my laptop), but at least I don't have to worry about having a good password and a bad one (the PIN).

I totally agree: numbers-only passwords ("PIN"s) are always an epic fail. It's about as bad as "security questions". Let's see, I forget my password, so the solution is to have me remember more of them? Brilliant. What's next, "My voice is my passport"?

I came into the forums to look for information on using the PIN sign-in feature. I am disappointed to hear you can only use 4 digits. I was going to use a 6 digit number PIN, which would be adequate for my new desktop here at the house. It is good to know how to back out of it but fortunately I had not set it up yet. Thanks for making this discussion post. Appreciate the info ... also the info about the biometrics not working yet in 10.

HP630 now Win10 • Microsoft SP3 now Win10 • HP Envy23 now Win10
It is not true that you can 'only use 4 digits' .

Oh, okay. That would be good. Does it have a maximum number of characters? Is it numbers only? Thanks.

HP630 now Win10 • Microsoft SP3 now Win10 • HP Envy23 now Win10

There is a maximum number of characters of 127 (as an input that is. I'm not sure how it is processed internally of course).

Considering that this is in fact the case, you would have 10^127! combinations if you generate a pin-number randomly.

though far from optimal, I myself think this should be considered 'safe enough' .. If they have a) access to your device and b) enough time / processing-power to crack the former pin, then they'll probably have the time and ability to find and copy a fingerprint.

Aha! Thanks to hints provided over in a Superuser.com post about fingerprint logins not working, I figured out a way to get fingerprint sign-on to work in Windows 10.

In short, if you have any fingerprints registered prior to your upgraded to Windows 10, you must remove them, then re-add them.

So, in my case, after the upgrade, Windows 10 reported that I didn't have any registered fingerprints. So I setup the (still stupid) PIN and tried to register my print. At that point, Windows complained that I already had that print registered, so I canceled. The UI changed to indicate that I had a fingerprint setup. Since it was reporting that everything was OK, that's where I left things.

I have since gone in and setup the PIN, removed the registered fingerprint, and then I added it again. And now I can login with my fingerprint---it never bugs me about the PIN. (And that's a good thing, because I set it to some super-long, random string of numbers that I'll never remember; I already have a password and I don't want another one.)

Hi Ralarock,

The design of the login by PIN in Windows 10 is actually very secure. I questioned this myself initially.  Here are a few reasons why a PIN rocks even when compared to a 'strong' password...

Let's agree on something first.  You might be one of the few that always uses strong passwords, never writes them down, never reuses a password, you change them all every few months, and you never get caught by malware, phishing, and trojan web sites.  For everyone else (and that includes me...) passwords are just a broken security paradigm that needs to go away.

While the design of the PIN in Windows 10 appears simplistic (What on earth could they be thinking!!!) it is actually very sophisticated, and is stronger than astrong password.  I had these same questions, and was super excited once I found out the details of the design.  Here are some high level notes...

  • PINs can be 6 digits, giving you 1 million possible PINs
    I gotcha... 1M may not impress you, but coupled with the choices below, its overkill.
     
  • The PIN actually unlocks a powerful cryptographic system tied to hardware.
    This isn't just a simple password replacement.
     
  • The PIN can only be used on this physical device
    Unless an attacker also steals your physical device, the PIN is useless to them.  It can only be used to unlock the local device. 99.99% (fill in made up statistic of your choice here...) of cyber crime is remote.  The dude is thousands of miles away... in his basement.  This alone is huge. 
     
  • PIN login only allows 4 incorrect attempts before you're challenged
    After just 4 invalid attempts, you're required to enter A1B2C3 to continue to retry.
     
  • But I use a super strong password (long, characters, etc..)
    One word... Malware. It doesn't care.  Malware keystrokes you super cool password just as easily as Password123. Strong passwords help protect you from brute force attacks, but brute force attacks are pretty far down on the list of todays threats. 
     
  • After 1 more failure, you must restart the machine
    You'll see "You've entered an incorrect PIN too many times"
    After a couple iterations of the above being challenged and restarting the device (multiple times), the PIN is blocked.

There is lots more detail, like how the physical hardware can erase its contents if it detects tampering, and other cool details that set the seemingly insecure PIN far apart from any password based system, but suffice it to say that the PIN and biometric sign in using Windows Hello (Facial, fingerprint and Iris) and the cryptographic system that underlies this all is really the beginning of the end of wide scale password use.

Hope that helps,

Scott

Thanks to all of you who have given good info about the problems and solutions with the PIN login. My new computer does not have Windows Hello or the right camera for iris/facial recognition or a fingerprint reader ... so PIN it is for now. I am waiting to see if a USB fingerprint reader device for Windows 10 will come out ... if they do, I hope they work without too much hassle. Both my main cell and backup cell have the fingerprint feature and it is great ...

HP630 now Win10 • Microsoft SP3 now Win10 • HP Envy23 now Win10
Having to enter  PIN each time I start my computer is stupid. I am the only one who uses this computer. So far I have found that Windows 10 is just slower and makes my life harder.  Why oh why did I accept this?  "Only the phantom knows."

Some supporting on-line content here:

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/why-a-pin-is-better-than-a-password

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.